LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 02-08-2007, 06:57 AM   #1
gbowden
Member
 
Registered: Dec 2003
Location: Spain
Distribution: Slackware 14.1 64bit - multilib
Posts: 148

Rep: Reputation: 28
Cool Possible SYN flooding?


I seem to be getting a few of these messages after upgrading to a 2.6.20 kernel and upgrading arno's firewall script.

Feb 8 12:51:56 gbnet kernel: possible SYN flooding on port 19516. Sending cookies.

Port 19516 is the port I use for Bittorrent.

Any ideas?

Regards,

Gregory Bowden
 
Old 02-08-2007, 07:39 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603
How many connections are we talking about ("netstat -ant | grep -c SYN_RECV")?
Does your firewall have any SYN checking in place (tcp --syn -> --limit-burst)?
Does the situation persist if you stop Bittorrent?
Does the situation persist if you (re)start Bittorrent with options like (or equiv to) --max_uploads, --max_initiate, --max_allow_in?

For background info here's the IETF Draft and a doc from Cisco (cuz it has pretty pictures). For more info see the LQ FAQ: Security references, post #2 "Netfilter, firewall, Iptables, Ipchains, DoS, DDoS".
 
Old 02-08-2007, 08:01 AM   #3
gbowden
Member
 
Registered: Dec 2003
Location: Spain
Distribution: Slackware 14.1 64bit - multilib
Posts: 148

Original Poster
Rep: Reputation: 28
Thanks

Running the netstat command I get the follwoing:

Code:
13:57:05 root@gbnet:~# netstat -ant | grep -c SYN_RECV
8
These are my iptables rules i'm using for Bittorrent:

Code:
# Put any custom (iptables) rules here down below:
##################################################
# Bittorent
iptables -I INPUT 1 -i eth0 -p tcp --tcp-flags SYN,RST,ACK SYN --dport 19516 -j ACCEPT
iptables -I INPUT 1 -i eth0 -p udp --dport 19517 -j ACCEPT
iptables -I INPUT 1 -i eth0 -p tcp --tcp-flags SYN,RST,ACK SYN --dport 6881 -j ACCEPT
iptables -I INPUT 1 -i eth0 -p udp --dport 6881 -j ACCEPT
iptables -I INPUT 1 -i eth0 -p tcp --tcp-flags SYN,RST,ACK SYN --dport 6346 -j ACCEPT
iptables -I INPUT 1 -i eth0 -p udp --dport 6346 -j ACCEPT
iptables -I INPUT 1 -i eth0 -p tcp --tcp-flags SYN,RST,ACK SYN --dport 60500 -j ACCEPT
When I stop running KTorrent the Bittorrent application these messages stop.

Regards,

Gregory Bowden
 
Old 02-08-2007, 08:15 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603
OK. Three answered, one to go.
 
Old 02-08-2007, 08:32 AM   #5
gbowden
Member
 
Registered: Dec 2003
Location: Spain
Distribution: Slackware 14.1 64bit - multilib
Posts: 148

Original Poster
Rep: Reputation: 28
Dear unSpawn,

I'm using KTorrent to download torrents, so I don't really know what options correspond with the ones you posted.

But I have max uploads set to 10, 150 connections per torrent and 300 connections globally. I'm also limiting the upload speed to 15KB/sec and download to 100KB/sec.

Last edited by gbowden; 02-08-2007 at 08:43 AM.
 
Old 02-08-2007, 08:41 AM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603
Heh, I said "or equivalent". I don't know, *you* run that application so you have the docs.
 
Old 02-08-2007, 08:49 AM   #7
gbowden
Member
 
Registered: Dec 2003
Location: Spain
Distribution: Slackware 14.1 64bit - multilib
Posts: 148

Original Poster
Rep: Reputation: 28
Ok I seem to have found the problem.
Once I deleted the torrent I thought was causing the problem the messages just stopped appearing.

Thanks for your help.

Regards,

Gregory Bowden
 
Old 02-08-2007, 09:16 AM   #8
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603Reputation: 3603
NP. You found the cause but I still have no idea why it did excessive SYN's. Could you post some specs about that particular torrent? Like what the tracker (s) it's on, does it do peerless as well, any clue that helps would be welcome. Else if you think sharing the .torrent could help, contact me by email and I'll have a look.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
PLEASE take a look at this and help me.. (error flooding consoles) RoaCh Of DisCor Linux - Hardware 2 06-08-2006 12:04 AM
xfdesktop is flooding sendmail Furlinastis Slackware 3 12-26-2005 04:20 PM
flooding ohcarol Linux - Security 9 06-25-2005 11:05 AM
flooding the network at certain level becky_starr Linux - Networking 2 03-16-2004 02:31 PM
icmp flooding slack66 Linux - Security 10 11-27-2003 03:21 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 12:20 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration